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IN THE CLAIMS 

1 . (Currently Amended) A method for providing access control in a computing 
system environment, the method comprising the steps of: 
receiving an access request; 

selecting, based on the access request, a s el ect e d set of rules containing 
at least one rule from a_ at l e ast on e master set of rules; and 

perform i ng at le ast one rul e operat i on i n the at le ast one rule in th e 
s e l e ct e d s e t of ru le s to produc e an acc e ss control d e c i s i on until at le ast on e of: 

i ) a ru le op e rat i on i nclud i ng a d i sregard instruct i on is p e rform e d to 

li m i t performanoo of ru l e operat i ons in tho se l ected sot of rulos; and 

ii ) a ll rul e op e rat i ons i n the s ele ct e d s e t of rules that ar e app li cab le 

to the acc e ss contro l d e cis i on a r e p e rform e d; 

vtfh e r ei n at le ast on e ru l e i n the s ele ct e d s e t of ru le s cont a ins a rul e 
op e r a t i on i nc l ud i ng an uncond i t i ona l d i sr e gard instruction; and 

wher ei n th e st e p of p e rform i ng inc l ud e s th e st e ps of: 

producing an access control decision based on performing le ss than all 
rule operations in a given rule d e fin e d with i n th e at le ast on e rul e in of the 
selected set of rules by sequentially performing rule operations in the given e aeh 
rule until performing a i n th e s ele ct e d set of rul e s unt il the uncond i tional disregard 
instruction i s p e rform e d , the disregard instruction including disregard criteria 
identifying a type of other rule operations in the selected set of rules to disregard 
from performing; and th e r e by t e rm i nat i ng th e p e rformance of any r e ma i n i ng ru le 
op e rat i ons i n th e s ele ct e d set of ru le s 

after performing the unconditional disregard instruction in the given rule: 

i) evaluating the disregard criteria against any remaining 
unperformed rule operations in other rules of the selected set of rules, the 
other rules being rules other than the given rule; 

ii) marking any remaining unperformed rule operations in the other 
rules of the selected set of rules that match the disregard criteria to be 
disregarded from further rule processing: and 
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iii) executing remaining unmarked rule operations in the other rules 
in the selected set of rules . 

2. (Original) The method of claim 1 wherein the step of performing includes the 
step of producing an access control decision indicating whether to allow access, 
on behalf of a requestor submitting the access request, to an resource in the 
computing system environment. 

3. (Currently Amended) The method of claim 1 wherein the step of selecting 
includes the steps of: 

determining an identity of a_the resource in the computing system 
environment to which access is requested in the access request; and 

applying at least one filter operation, using the identity of the resource, for 
rules in the at l o ast one master set of rules to produce the selected set of rules 
for use in determining the access control decision forte the resource. 

4. (Currently Amended) The method of claim 3 further including the step of: 

determining a role identity of a requestor submitting the access request; 

and 

wherein the step of applying applies the at least one filter operation, using 
the role identity of the requestor submitting the access request in combination 
with the identity of the resource, for rules in the at loast one master set of rules to 
produce the selected set of rules for use in determining the access control 
decision to the resource. 

5. (Cancelled) 

6. (Previously Presented) The method of claim 1 wherein the selected set of 
rules is arranged hierarchically such that rules containing rule operations that are 
more specific are performed before rule operations that are more general. 
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7. (Canceled) 

8. (Canceled) 

9. (Currently Amended) The method of claim 1 wherein the step of selecting 
includes the steps of: 

determining an identity of a resource in the computing system 
environment to which access is requested in the access request; and 

applying at least one filter operation, using the identity of the resource, for 
rules in the at least one master set of rules to produce the selected set of rules 
for use in determining the access control decision to the resource; and 

wherein the method further includes the step of determining a role identity 
of a requestor submitting the access request; and 

wherein the step of performing includes sequentially processing proc e sses 
each rule operation in the selected set of rules using the role identity of the 
requestor submitting the access request in combination with the identity of the 
resource to determine if the requestor using the role identity can access the 
resource. 

10. (Canceled) 

11. (Canceled) 

12. (Currently Amended) The method of claim 1 c l aim 10 wherein: 

the selected set of rules is arranged hierarchically such that rules 
containing rule operations that are more specific are performed before rules 
containing rule operations that are more general such that placement of the 
disregard instruction in one of the at lea st on e rules in the selected set of rules 
causes the step of performing to control an amount of access control provided to 
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ajRB requestor that submitted the access request for access to a respective t he 
resource. 

13. (Currently Amended) The method of claim 1 cla i m 10 wherein the disregard 
instruction is a conditional instruction that has a condition that must be met 
before the disregard instruction is performed. 

14. (Original) The method of claim 1 wherein: 

at least one rule in the selected set of rules contains a relation that defines 
a condition based on a group definition; and 

wherein at least one of the steps of selecting and performing includes the 
step of: 

performing the relation to determine if at least one of a requestor, an 
access, and a resource specified in the access request satisfy the condition 
based on the group definition. 

15. (Canceled) 

16. (Canceled) 

17. (Canceled) 

18. (Canceled) 

19. (Currently Amended) A computer system configured to provide access 
control, the computer system comprising: 

at least one input/output interface; 
a processor; 

a memory system encoded with an authorization program; 
at least one authorization database; 
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an interconnection mechanism coupling the processor, the at least one 
input/output interface, the memory system, and the at least one authorization 
database; 

based at least in part on the processor executing the authorization 
program, the processor supporting steps of: 
receiving an access reguest; 

selecting, based on the access request, a set of rules containing at least 
one rule from a master set of rules: 

producing an access control decision based on performing rule operations 
in a given rule of the selected set of rules by seguentiallv performing rule 
operations in the given rule until performing a disregard instruction, the disregard 
instruction including disregard criteria identifying a type of other rule operations in 
the selected set of rules to disregard from performing; and 

after performing the unconditional disregard instruction in the given rule: 

i) evaluating the disregard criteria against any remaining 
unperformed rule operations in other rules of the selected set of rules, the 
other rules being rules other than the given rule: 

ii) marking any remaining unperformed rule operations in the other 
rules of the selected set of rules that match the disregard criteria to be 
disregarded from further rule processing: and 

iii) executing remaining unmarked rule operations in the other rules 
in the selected set of rules. 

wh e r ei n th e at le ast one input/output i nt e rfac e r e c ei v e s an acc e ss r e qu e st 
from a r e qu e stor and th e proc e ssor p e rforms th e author i zat i on program in th e 
m e mory syst e m to s ele ct, bas e d on th e acc e ss r e qu e st, a s ele ct e d s e t of rul e s 
contain i ng at le ast on e rule from at l e ast on e mast e r set of rules mainta i n e d 
within th e at le ast on e authorization database; and 

wher ei n th e proc e ssor p e rforms at le ast on e rul e op e rat i on i n th e at least 

on e ru le in th e s e l e ct e d s e t of rul e s to produc e an access control d e c i s i on i n th e 
m e mory syst e m unt il at l east on e of: 
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i ) a ru le op e rat i on includ i ng a d i sr e gard i nstruction is p e rform e d to 

l imit p e rformanc e of rul e op e rat i ons in th e s e l e cted s e t of rul e s; and 

ii ) al l ru le op e rat i ons in th e s ele ct e d s e t of ru le s that ar e a pplicabl e 

to the acc e ss contro l d e c i sion a r e perform e d; 

wh e r ei n at l east on e ru le in th e s ele ct e d s e t of rules in th e authorizat i on 
databas e conta i ns a rule op e rat i on i nclud i ng a n uncond i t i ona l disregard 
i nstruct i on; and 

wh e r ei n wh e n th e proc e ssor p e rforms at l e ast on e ru l e op e rat i on, th e 
proc e ssor p e rforms le ss th a n all ru le op e r a t i ons def i n e d w i thin th e at le ast on e 
rul e i n th e s e l e ct e d set of ru le s by s e qu e nt i a l ly p e rform i ng ru l e op e rat i ons i n e ach 
rul e i n th e s ele ct e d s e t of ru le s unt il the uncondit i ona l d i sr e gard i nstruct i on i s 
perform e d th e r e by t e rm i nat i ng th e p e rformance of a ny r e ma i n i ng ru le op e rat i ons 
i n th e s e l e ct e d s e t of ru le s. 

20. (Currently Amended) The computer system of claim 19 wherein the 
processor, via performance of the at least one rule operation, produces an 
access control decision indicating whether to allow access, on behalf of SLthe 
requestor submitting the access request, to a,an resource in the computing 
system environment. 

21. (Currently Amended) The computer system of claim 19 wherein: 

the processor performs the authorization program to select the t he 
s e l e ct e d set of rules and to determine an identity of a resource in the computing 
system environment to which access is requested in the access request; and 

the processor performs the authorization program to apply at least one 
filter operation from the at least one authorization database, using the identity of 
the resource, for rules in the at l e ast one master set of rules to produce the 
selected set of rules for use in determining the access control decision to the 
resource. 
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22. (Currently Amended) The computer system of claim 21 claim 19 wherein the 
processor performs the authorization program which determines a role identity of 
a requestor submitting the access request; and 

wherein when the processor performs the authorization program to apply 
at least one filter operation, the authorization program applies the at least one 
filter operation, using the role identity of the requestor submitting the access 
request in combination with the identity of the resource, for rules in the at le ast 
eF»e master set of rules to produce the selected set of rules for use in determining 
the access control decision to the resource. 

23. (Cancelled) 

24. (Previously Presented) The computer system of claim 19 wherein the 
selected set of rules is arranged hierarchically such that when the processor 
performs the authorization program, rules containing rule operations that are 
more specific are performed before rule operations that are more general. 

25. (Canceled) 

26. (Canceled) 

27. (Original) The computer system of claim 19 wherein when the processor 
performs the authorization program to select a selected set of rules, the 
processor: 

determines an identity of an resource to which access is requested in the 
access request; and 

applies at least one filter operation, using the identity of the resource, for 
rules in the at least one master set of rules to produce the selected set of rules 
for use in determining the access control decision to the resource; and 
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wherein when the processor performs the authorization program, the 
processor determines a role identity of a requestor submitting the access 
request; and 

wherein the processor sequentially processes each rule operation in the 
selected set of rules using the role identity of the requestor submitting the access 
request in combination with the identity of the resource to determine if the 
requestor using the role identity can access the resource. 

28. (Original) 

29. (Original) 

30. (Currently Amended) The computer system of claim 19 cla i m 28 wherein: 

the selected set of rules is arranged hierarchically such that rules 
containing rule operations that are more specific are performed by the processor 
before rules containing rule operations that are more general such that 
placement of the disregard instruction in one of the at least one rules in the 
selected set of rules causes the authorization program, when performed on the 
processor, to control an amount of access control provided to the requestor that 
submitted the access request for access to the resource. 

31. (Original) The computer system of claim 28 wherein the disregard 
instruction is a conditional instruction that has a condition that must be met 
during processing by the processor before the disregard instruction is performed. 

32. (Original) The computer system of claim 19 wherein: 

at least one rule in the selected set of rules contains a relation that defines 
a condition based on a group definition; and 

wherein when the processor performs at least one of the operations of 
selecting and performing, the processor performing the relation to determine if at 
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least one of a requestor, an access, and a resource specified in the access 
request satisfy the condition based on the group definition. 

33. (Canceled) 

34. (Canceled) 

35. (Canceled) 

36. (Canceled) 

37. (Canceled) 

38. (Canceled) 

39. (Canceled) 

40. (Canceled) 

41. (Canceled) 

42. (Canceled) 

43. (Canceled) 

44. (Canceled) 

45. (Currently Amended) A method for controlling applicability of rule operations 
in a rule-based access control system, the method comprising the step of: 
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selecting at least two rules on e ru le for performance to determine an 
access control decision , the at least two rules including a first rule and a second 
rule : and 

performing a rule operation in the first rule of the at least two rules i n th e at 
l e ast on e rul e, the rule operation including a disregard instruction that^ when 
performed, causes non-performance of at least one other rule operation in the 
second rule i n at le ast on e ru le that is disregarded based on the disregard 
instruction s ele ct e d for porformance to detormin o tho aocoss control decis i on : 
and 

performing at least one rule operation in the second rule other than the at 
least one rule operation in the second rule that is disregarded . 

46. (Canceled) 

47. (Canceled) 

48. (Canceled) 

49. (Canceled) 

50. (Canceled) 

51. (Canceled) 

52. (Currently Amended) A method for providing access control in a computing 
system environment, the method comprising the steps of: 

receiving an access request; 

selecting, based on the access request, a set of rules containing multiple 
rules from at least one master set of rules, at least one of the multiple rules 
including multiple rule operations to be performed in sequential order; 
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for a mfB B first rule of the multiple rules: 

performing a filter operation associated with the ows b first rule to 
identify whether to execute any rule operations in the aiveft first rule; and 

performing multiple operations in the first rule to determine whether 
to provide access to a storage system in response to receiving the access 
request , the first rule including a disregard instruction that, when executed, 
limits performance to fewer than all rule operations in a second rule of the 
selected set of rules as specified by disregard criteria in the disregard 
instruction . 

53. (Currently Amended) A method as in claim 52, wherein the filter operation is 
an IF-THEN operation and performance of the IF-THEN operation provides an 
indication whether to perform rule operations in the g i ven first rule. 

54. (Canceled) 

55. (Currently Amended) A method as in claim 52 claim 5 ^. wherein the 
disregard instruction is a conditional disregard instruction, which limits a 
performance of other rule operations in multiple rules other than t he oive B first 
rule in the selected set of rules depending on occurrence of a corresponding 
condition as specified by the disregard criteria in the disregard instruction . 

56. (Currently Amended) A method as in claim 55 further comprising: 

performing at least one other rule operation in the g i v e n first rule as well 
as other rules in the selected set of rules after performing the a conditional 
disregard instruction. 

57. (Currently Amended) A method as in claim 53 c l a i m 52 , wherein 
performance of the IF-THEN operation includes identifying whether an 
application generating the access request uses a particular resource in the 
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storage system as well as whether a requestor associated with the access 
request is a member of a particular specified group and, if so, performing the rule 
operations in the first given rule. 

58. (New) A method for providing access control in a computing system 
environment, the method comprising: 

receiving an access request; 

in response to receiving the access request, selecting a set of rules for 
processing to determine whether to permit the access request; 

during processing of the set of rules, performing a conditional disregard 
rule operation in the set of rules; 

based on performing the conditional disregard rule operation, disregarding 
execution of at least one rule operation other than the conditional disregard rule 
operation in the set of rules as specified by the conditional disregard rule 
operation; and 

after performing the conditional disregard rule operation, performing at 
least one other rule operation in the set of rules not specified by disregard criteria 
in the conditional disregard rule operation. 

59. (New) A method as in claim 58 further comprising: 

comparing disregard criteria in a data field associated with the conditional 
disregard rule operation to data in other rule operations to identify which other 
rule operations in the selected set of rules to disregard from performance. 

60. (New) A method as in claim 58, wherein a field of data in the conditional 
disregard rule operation specifically identifies a first type of rule operations that 
are to be disregarded from execution in the set of rules, execution of the 
conditional disregard rule not having any affect on whether to perform a second 
type of rule operations in the set of rules. 
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61. (New) A method as in claim 60, wherein performing a conditional disregard 
rule operation further comprises identifying disregard criteria in the conditional 
disregard rule operation, the method further comprising: 

upon performing the conditional disregard rule operation, marking any 
remaining unperformed rule operations in the set of rules as identified by the 
disregard criteria; and 

continuing performance of rule operations in the set of rules that are not 
marked to be disregarded. 

62. (New) A method as in claim 58 further comprising: 

during processing of the set of rules, performing an unconditional 
disregard rule operation in the set of rules that results in termination of 
performing any other rule operations in the selected set of rules. 

63. (New) A method for providing access control in a computing system 
environment, the method comprising: 

receiving an access request; 

in response to receiving the access request, selecting a first set of rules 
and a second set of rules for processing to determine whether to permit the 
access request, the first set of rules and the second set of rules each including 
multiple rule operations; 

during processing of the first set of rules, performing a disregard rule 
operation in the first set of rules; and 

based on performing the disregard rule operation, disregarding execution 
of at least one rule operation in the second set of rules as identified by the 
disregard rule operation. 

64. (New) A method as in claim 63, wherein selecting the first set of rules and 
the second set of rules includes applying a respective first filter and a second 
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filter to identify whether to select the first set of rules and the second set of rules 
for execution. 

65. (New) A method as in claim 63 further comprising: 

after disregarding execution of at least one rule operation in the second 
set of rules as identified by the disregard rule operation in the first set of rules, 
performing at least one rule operation in the second set of rules not associated 
with the disregard rule operation. 

66. (New) A method as in claim 63 further comprising: 

following completion of executing the first set of rules and the second set 
of rules, generating an access control decision whether to permit the access 
request. 

67. (New) A method as in claim 63, wherein the disregard rule operation is a 
conditional disregard rule operation, a field of data in the conditional disregard 
rule operation specifically identifying a first type of rule operations that are to be 
disregarded from execution in the first set of rules and the second set of rules, 
execution of the conditional disregard rule not having any affect on whether to 
perform a second type of rule operation in the second set of rules. 

68. (New) A method as in claim 67, wherein performing a conditional disregard 
rule operation includes identifying disregard criteria in the conditional disregard 
rule operation, the method further comprising: 

upon performing the conditional disregard rule operation, marking any 
remaining unperformed rule operations in the first set of rules and the second set 
of rules as identified by the disregard criteria; and 

continuing performance of rule operations in the first set of rules and the 
second set of rules that are not marked to be disregarded. 
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69. (New) A method as in claim 67 further comprising: 

during processing of the first set of rules, performing an unconditional 
disregard rule operation that results in termination of performing all other rule 
operations in the selected first set of rules and the second set of rules. 

70. (New) A method for providing access control in a computing system 
environment, the method comprising: 

receiving an access request to access data in the computing system 
environment; 

comparing the access request to a master rule set, each rule in the master 
rule set including a filter and a corresponding set of rule operations to be 
performed pending evaluation of the filter condition; and 

for each rule containing a filter operation that evaluates to indicate 
execution of rule operations of that rule, executing the rule operations of that rule; 

during execution of rule operations of that rule, executing a first conditional 
disregard instruction that establishes a first set of pre-conditions that must be met 
in successive rules in the master rule set in order for those successive rules to be 
executed after the rule containing the first conditional disregard instruction has 
been executed; and 

executing at least one successive rule in the master rule set for which the 
access request meets the filters of those successive rules, and for which the first 
set of pre-conditions established by executing the first conditional disregard 
instruction are also met. 

71. (New) The method of claim 70 wherein executing only the successive rules 
in the master rule set comprises: 

executing a second conditional disregard instruction that establish a 
second set of pre-conditions that must also be met in addition to the first set of 
pre-conditions established by the first disregard instruction for any remaining 
successive rules in the master rule set to be executed. 
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72. (New) The method of claim 71 wherein pre-conditions established by 
execution of the conditional disregard instructions indicate a type of data upon 
which rule operations of successive rules in the master rule set operate that are 
not to be executed during execution of the successive rules in the master rule 
set. 

73. (New) The method of claim 72 wherein the filter of at least one rule in the 
master rule set includes a test of whether an application associated with the 
access request uses a particular resource associated with the request. 

74. (New) The method of claim 72 wherein the filter of at least one rule in the 
master rule set includes a test of whether at least two resources associated with 
the access request are connected to each other. 

75. (New) The method of claim 72 comprising skipping execution of those 
successive rules in the master rule set for which the access request does not 
meet the filters of those successive rules, and for which the first and second set 
of pre-conditions established by executing the first and second disregard 
instructions are not met. 

76. (New) A computer program product having a computer-readable medium 
including computer program logic encoded thereon that when executed on a 
computer system provides a method for controlling access to a resource, and 
wherein when the computer program logic is executed on a processor in the 
computer system, the computer program logic causes the processor to perform 
the operations of: 

receiving an access request to access data in the computing system 
environment; 
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comparing the access request to a nnaster rule set, each rule in the master 
rule set including a filter and a corresponding set of rule operations to be 
performed pending evaluation of the filter condition; and 

for each rule containing a filter operation that evaluates to indicate 
execution of rule operations of that rule, executing the rule operations of that rule; 

during execution of rule operations of that rule, executing a first conditional 
disregard instruction that establishes a first set of pre-conditions that must be met 
in successive rules in the master rule set in order for those successive rules to be 
executed after the rule containing the first conditional disregard instruction has 
been executed; and 

executing at least one successive rule in the master rule set for which the 
access request meets the filters of those successive rules, and for which the first 
set of pre-conditions established by executing the first conditional disregard 
instruction are also met. 



